just-bash 2.9.2 → 2.9.4

package/dist/bin/chunks/worker.js

@@ -1,7 +1,873 @@
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+
 // src/commands/python3/worker.ts
 import { parentPort, workerData } from "node:worker_threads";
 import { loadPyodide } from "pyodide";
 
+// src/security/blocked-globals.ts
+function getBlockedGlobals() {
+  const globals = [
+    // Direct code execution vectors
+    {
+      prop: "Function",
+      target: globalThis,
+      violationType: "function_constructor",
+      strategy: "throw",
+      reason: "Function constructor allows arbitrary code execution"
+    },
+    {
+      prop: "eval",
+      target: globalThis,
+      violationType: "eval",
+      strategy: "throw",
+      reason: "eval() allows arbitrary code execution"
+    },
+    // Timer functions with string argument allow code execution
+    {
+      prop: "setTimeout",
+      target: globalThis,
+      violationType: "setTimeout",
+      strategy: "throw",
+      reason: "setTimeout with string argument allows code execution"
+    },
+    {
+      prop: "setInterval",
+      target: globalThis,
+      violationType: "setInterval",
+      strategy: "throw",
+      reason: "setInterval with string argument allows code execution"
+    },
+    {
+      prop: "setImmediate",
+      target: globalThis,
+      violationType: "setImmediate",
+      strategy: "throw",
+      reason: "setImmediate could be used to escape sandbox context"
+    },
+    // Note: We intentionally do NOT block `process` entirely because:
+    // 1. Node.js internals (Promise resolution, etc.) use process.nextTick
+    // 2. Blocking process entirely breaks normal async operation
+    // 3. The primary code execution vectors (Function, eval) are already blocked
+    // However, we DO block specific dangerous process properties.
+    {
+      prop: "env",
+      target: process,
+      violationType: "process_env",
+      strategy: "throw",
+      reason: "process.env could leak sensitive environment variables"
+    },
+    {
+      prop: "binding",
+      target: process,
+      violationType: "process_binding",
+      strategy: "throw",
+      reason: "process.binding provides access to native Node.js modules"
+    },
+    {
+      prop: "_linkedBinding",
+      target: process,
+      violationType: "process_binding",
+      strategy: "throw",
+      reason: "process._linkedBinding provides access to native Node.js modules"
+    },
+    {
+      prop: "dlopen",
+      target: process,
+      violationType: "process_dlopen",
+      strategy: "throw",
+      reason: "process.dlopen allows loading native addons"
+    },
+    // Note: process.mainModule is handled specially in defense-in-depth-box.ts
+    // and worker-defense-in-depth.ts because it may be undefined in ESM contexts
+    // but we still want to block both reading and setting it.
+    // We also don't block `require` because:
+    // 1. It may not exist in all environments (ESM)
+    // 2. import() is the modern escape vector and can't be blocked this way
+    // Reference leak vectors
+    {
+      prop: "WeakRef",
+      target: globalThis,
+      violationType: "weak_ref",
+      strategy: "throw",
+      reason: "WeakRef could be used to leak references outside sandbox"
+    },
+    {
+      prop: "FinalizationRegistry",
+      target: globalThis,
+      violationType: "finalization_registry",
+      strategy: "throw",
+      reason: "FinalizationRegistry could be used to leak references outside sandbox"
+    },
+    // Introspection/interception vectors (freeze instead of throw)
+    {
+      prop: "Reflect",
+      target: globalThis,
+      violationType: "reflect",
+      strategy: "freeze",
+      reason: "Reflect provides introspection capabilities"
+    },
+    {
+      prop: "Proxy",
+      target: globalThis,
+      violationType: "proxy",
+      strategy: "throw",
+      reason: "Proxy allows intercepting and modifying object behavior"
+    },
+    // WebAssembly allows arbitrary code execution
+    {
+      prop: "WebAssembly",
+      target: globalThis,
+      violationType: "webassembly",
+      strategy: "throw",
+      reason: "WebAssembly allows executing arbitrary compiled code"
+    },
+    // SharedArrayBuffer and Atomics can enable side-channel attacks
+    {
+      prop: "SharedArrayBuffer",
+      target: globalThis,
+      violationType: "shared_array_buffer",
+      strategy: "throw",
+      reason: "SharedArrayBuffer could enable side-channel communication or timing attacks"
+    },
+    {
+      prop: "Atomics",
+      target: globalThis,
+      violationType: "atomics",
+      strategy: "throw",
+      reason: "Atomics could enable side-channel communication or timing attacks"
+    }
+    // Note: Error.prepareStackTrace is handled specially in defense-in-depth-box.ts
+    // because we only want to block SETTING it, not reading (V8 reads it internally)
+  ];
+  try {
+    const AsyncFunction = Object.getPrototypeOf(async () => {
+    }).constructor;
+    if (AsyncFunction && AsyncFunction !== Function) {
+      globals.push({
+        prop: "constructor",
+        target: Object.getPrototypeOf(async () => {
+        }),
+        violationType: "async_function_constructor",
+        strategy: "throw",
+        reason: "AsyncFunction constructor allows arbitrary async code execution"
+      });
+    }
+  } catch {
+  }
+  try {
+    const GeneratorFunction = Object.getPrototypeOf(
+      function* () {
+      }
+    ).constructor;
+    if (GeneratorFunction && GeneratorFunction !== Function) {
+      globals.push({
+        prop: "constructor",
+        target: Object.getPrototypeOf(function* () {
+        }),
+        violationType: "generator_function_constructor",
+        strategy: "throw",
+        reason: "GeneratorFunction constructor allows arbitrary generator code execution"
+      });
+    }
+  } catch {
+  }
+  try {
+    const AsyncGeneratorFunction = Object.getPrototypeOf(
+      async function* () {
+      }
+    ).constructor;
+    if (AsyncGeneratorFunction && AsyncGeneratorFunction !== Function && AsyncGeneratorFunction !== Object.getPrototypeOf(async () => {
+    }).constructor) {
+      globals.push({
+        prop: "constructor",
+        target: Object.getPrototypeOf(async function* () {
+        }),
+        violationType: "async_generator_function_constructor",
+        strategy: "throw",
+        reason: "AsyncGeneratorFunction constructor allows arbitrary async generator code execution"
+      });
+    }
+  } catch {
+  }
+  return globals.filter((g) => {
+    try {
+      return g.target[g.prop] !== void 0;
+    } catch {
+      return false;
+    }
+  });
+}
+
+// src/security/defense-in-depth-box.ts
+var IS_BROWSER = typeof __BROWSER__ !== "undefined" && __BROWSER__;
+var AsyncLocalStorageClass = null;
+if (!IS_BROWSER) {
+  try {
+    const { createRequire } = await import("node:module");
+    const require2 = createRequire(import.meta.url);
+    const asyncHooks = require2("node:async_hooks");
+    AsyncLocalStorageClass = asyncHooks.AsyncLocalStorage;
+  } catch (e) {
+    console.debug(
+      "[DefenseInDepthBox] AsyncLocalStorage not available, defense-in-depth disabled:",
+      e instanceof Error ? e.message : e
+    );
+  }
+}
+var executionContext = !IS_BROWSER && AsyncLocalStorageClass ? new AsyncLocalStorageClass() : null;
+
+// src/security/worker-defense-in-depth.ts
+var DEFENSE_IN_DEPTH_NOTICE = "\n\nThis is a defense-in-depth measure and indicates a bug in just-bash. Please report this at security@vercel.com";
+var WorkerSecurityViolationError = class extends Error {
+  constructor(message, violation) {
+    super(message + DEFENSE_IN_DEPTH_NOTICE);
+    this.violation = violation;
+    this.name = "WorkerSecurityViolationError";
+  }
+};
+var MAX_STORED_VIOLATIONS = 1e3;
+function generateExecutionId() {
+  if (typeof crypto !== "undefined" && crypto.randomUUID) {
+    return crypto.randomUUID();
+  }
+  return "xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g, (c) => {
+    const r = Math.random() * 16 | 0;
+    const v = c === "x" ? r : r & 3 | 8;
+    return v.toString(16);
+  });
+}
+var WorkerDefenseInDepth = class {
+  config;
+  isActivated = false;
+  originalDescriptors = [];
+  violations = [];
+  executionId;
+  /**
+   * Original Proxy constructor, captured before patching.
+   * This is captured at instance creation time to ensure we get the unpatched version.
+   */
+  originalProxy;
+  /**
+   * Recursion guard to prevent infinite loops when proxy traps trigger
+   * code that accesses the same proxied object (e.g., process.env).
+   */
+  inTrap = false;
+  /**
+   * Create and activate the worker defense layer.
+   *
+   * @param config - Configuration for the defense layer
+   */
+  constructor(config) {
+    this.originalProxy = Proxy;
+    this.config = config;
+    this.executionId = generateExecutionId();
+    if (config.enabled !== false) {
+      this.activate();
+    }
+  }
+  /**
+   * Get statistics about the defense layer.
+   */
+  getStats() {
+    return {
+      violationsBlocked: this.violations.length,
+      violations: [...this.violations],
+      isActive: this.isActivated
+    };
+  }
+  /**
+   * Clear stored violations. Useful for testing.
+   */
+  clearViolations() {
+    this.violations = [];
+  }
+  /**
+   * Get the execution ID for this worker.
+   */
+  getExecutionId() {
+    return this.executionId;
+  }
+  /**
+   * Deactivate the defense layer and restore original globals.
+   * Typically only needed for testing.
+   */
+  deactivate() {
+    if (!this.isActivated) {
+      return;
+    }
+    this.restorePatches();
+    this.isActivated = false;
+  }
+  /**
+   * Activate the defense layer by applying patches.
+   */
+  activate() {
+    if (this.isActivated) {
+      return;
+    }
+    this.applyPatches();
+    this.isActivated = true;
+  }
+  /**
+   * Get a human-readable path for a target object and property.
+   */
+  getPathForTarget(target, prop) {
+    if (target === globalThis) {
+      return `globalThis.${prop}`;
+    }
+    if (typeof process !== "undefined" && target === process) {
+      return `process.${prop}`;
+    }
+    if (target === Error) {
+      return `Error.${prop}`;
+    }
+    if (target === Function.prototype) {
+      return `Function.prototype.${prop}`;
+    }
+    if (target === Object.prototype) {
+      return `Object.prototype.${prop}`;
+    }
+    return `<object>.${prop}`;
+  }
+  /**
+   * Record a violation and invoke the callback.
+   * In worker context, blocking always happens (no audit mode context check).
+   */
+  recordViolation(type, path, message) {
+    const violation = {
+      timestamp: Date.now(),
+      type,
+      message,
+      path,
+      stack: new Error().stack,
+      executionId: this.executionId
+    };
+    if (this.violations.length < MAX_STORED_VIOLATIONS) {
+      this.violations.push(violation);
+    }
+    if (this.config.onViolation) {
+      try {
+        this.config.onViolation(violation);
+      } catch (e) {
+        console.debug(
+          "[WorkerDefenseInDepth] onViolation callback threw:",
+          e instanceof Error ? e.message : e
+        );
+      }
+    }
+    return violation;
+  }
+  /**
+   * Create a blocking proxy for a function.
+   * In worker context, always blocks (no context check needed).
+   */
+  // @banned-pattern-ignore: intentional use of Function type for security proxy
+  createBlockingProxy(original, path, violationType) {
+    const self = this;
+    const auditMode = this.config.auditMode;
+    return new this.originalProxy(original, {
+      apply(target, thisArg, args) {
+        const message = `${path} is blocked in worker context`;
+        const violation = self.recordViolation(violationType, path, message);
+        if (!auditMode) {
+          throw new WorkerSecurityViolationError(message, violation);
+        }
+        return Reflect.apply(target, thisArg, args);
+      },
+      construct(target, args, newTarget) {
+        const message = `${path} constructor is blocked in worker context`;
+        const violation = self.recordViolation(violationType, path, message);
+        if (!auditMode) {
+          throw new WorkerSecurityViolationError(message, violation);
+        }
+        return Reflect.construct(target, args, newTarget);
+      }
+    });
+  }
+  /**
+   * Create a blocking proxy for an object (blocks all property access).
+   */
+  createBlockingObjectProxy(original, path, violationType) {
+    const self = this;
+    const auditMode = this.config.auditMode;
+    return new this.originalProxy(original, {
+      get(target, prop, receiver) {
+        if (self.inTrap) {
+          return Reflect.get(target, prop, receiver);
+        }
+        self.inTrap = true;
+        try {
+          const fullPath = `${path}.${String(prop)}`;
+          const message = `${fullPath} is blocked in worker context`;
+          const violation = self.recordViolation(
+            violationType,
+            fullPath,
+            message
+          );
+          if (!auditMode) {
+            throw new WorkerSecurityViolationError(message, violation);
+          }
+          return Reflect.get(target, prop, receiver);
+        } finally {
+          self.inTrap = false;
+        }
+      },
+      set(target, prop, value, receiver) {
+        if (self.inTrap) {
+          return Reflect.set(target, prop, value, receiver);
+        }
+        self.inTrap = true;
+        try {
+          const fullPath = `${path}.${String(prop)}`;
+          const message = `${fullPath} modification is blocked in worker context`;
+          const violation = self.recordViolation(
+            violationType,
+            fullPath,
+            message
+          );
+          if (!auditMode) {
+            throw new WorkerSecurityViolationError(message, violation);
+          }
+          return Reflect.set(target, prop, value, receiver);
+        } finally {
+          self.inTrap = false;
+        }
+      },
+      ownKeys(target) {
+        if (self.inTrap) {
+          return Reflect.ownKeys(target);
+        }
+        self.inTrap = true;
+        try {
+          const message = `${path} enumeration is blocked in worker context`;
+          const violation = self.recordViolation(violationType, path, message);
+          if (!auditMode) {
+            throw new WorkerSecurityViolationError(message, violation);
+          }
+          return Reflect.ownKeys(target);
+        } finally {
+          self.inTrap = false;
+        }
+      },
+      getOwnPropertyDescriptor(target, prop) {
+        if (self.inTrap) {
+          return Reflect.getOwnPropertyDescriptor(target, prop);
+        }
+        self.inTrap = true;
+        try {
+          const fullPath = `${path}.${String(prop)}`;
+          const message = `${fullPath} descriptor access is blocked in worker context`;
+          const violation = self.recordViolation(
+            violationType,
+            fullPath,
+            message
+          );
+          if (!auditMode) {
+            throw new WorkerSecurityViolationError(message, violation);
+          }
+          return Reflect.getOwnPropertyDescriptor(target, prop);
+        } finally {
+          self.inTrap = false;
+        }
+      },
+      has(target, prop) {
+        if (self.inTrap) {
+          return Reflect.has(target, prop);
+        }
+        self.inTrap = true;
+        try {
+          const fullPath = `${path}.${String(prop)}`;
+          const message = `${fullPath} existence check is blocked in worker context`;
+          const violation = self.recordViolation(
+            violationType,
+            fullPath,
+            message
+          );
+          if (!auditMode) {
+            throw new WorkerSecurityViolationError(message, violation);
+          }
+          return Reflect.has(target, prop);
+        } finally {
+          self.inTrap = false;
+        }
+      }
+    });
+  }
+  /**
+   * Apply security patches to dangerous globals.
+   */
+  applyPatches() {
+    const blockedGlobals = getBlockedGlobals();
+    const excludeTypes = new Set(this.config.excludeViolationTypes ?? []);
+    for (const blocked of blockedGlobals) {
+      if (excludeTypes.has(blocked.violationType)) {
+        continue;
+      }
+      this.applyPatch(blocked);
+    }
+    if (!excludeTypes.has("function_constructor")) {
+      this.protectConstructorChain(excludeTypes);
+    }
+    if (!excludeTypes.has("error_prepare_stack_trace")) {
+      this.protectErrorPrepareStackTrace();
+    }
+    if (!excludeTypes.has("module_load")) {
+      this.protectModuleLoad();
+    }
+    if (!excludeTypes.has("process_main_module")) {
+      this.protectProcessMainModule();
+    }
+  }
+  /**
+   * Protect against .constructor.constructor escape vector.
+   * @param excludeTypes - Set of violation types to skip
+   */
+  protectConstructorChain(excludeTypes) {
+    let AsyncFunction = null;
+    let GeneratorFunction = null;
+    let AsyncGeneratorFunction = null;
+    try {
+      AsyncFunction = Object.getPrototypeOf(async () => {
+      }).constructor;
+    } catch {
+    }
+    try {
+      GeneratorFunction = Object.getPrototypeOf(function* () {
+      }).constructor;
+    } catch {
+    }
+    try {
+      AsyncGeneratorFunction = Object.getPrototypeOf(
+        async function* () {
+        }
+      ).constructor;
+    } catch {
+    }
+    this.patchPrototypeConstructor(
+      Function.prototype,
+      "Function.prototype.constructor",
+      "function_constructor"
+    );
+    if (!excludeTypes.has("async_function_constructor") && AsyncFunction && AsyncFunction !== Function) {
+      this.patchPrototypeConstructor(
+        AsyncFunction.prototype,
+        "AsyncFunction.prototype.constructor",
+        "async_function_constructor"
+      );
+    }
+    if (!excludeTypes.has("generator_function_constructor") && GeneratorFunction && GeneratorFunction !== Function) {
+      this.patchPrototypeConstructor(
+        GeneratorFunction.prototype,
+        "GeneratorFunction.prototype.constructor",
+        "generator_function_constructor"
+      );
+    }
+    if (!excludeTypes.has("async_generator_function_constructor") && AsyncGeneratorFunction && AsyncGeneratorFunction !== Function && AsyncGeneratorFunction !== AsyncFunction) {
+      this.patchPrototypeConstructor(
+        AsyncGeneratorFunction.prototype,
+        "AsyncGeneratorFunction.prototype.constructor",
+        "async_generator_function_constructor"
+      );
+    }
+  }
+  /**
+   * Protect Error.prepareStackTrace from being set.
+   */
+  protectErrorPrepareStackTrace() {
+    const self = this;
+    const auditMode = this.config.auditMode;
+    try {
+      const originalDescriptor = Object.getOwnPropertyDescriptor(
+        Error,
+        "prepareStackTrace"
+      );
+      this.originalDescriptors.push({
+        target: Error,
+        prop: "prepareStackTrace",
+        descriptor: originalDescriptor
+      });
+      let currentValue = originalDescriptor?.value;
+      Object.defineProperty(Error, "prepareStackTrace", {
+        get() {
+          return currentValue;
+        },
+        set(value) {
+          const message = "Error.prepareStackTrace modification is blocked in worker context";
+          const violation = self.recordViolation(
+            "error_prepare_stack_trace",
+            "Error.prepareStackTrace",
+            message
+          );
+          if (!auditMode) {
+            throw new WorkerSecurityViolationError(message, violation);
+          }
+          currentValue = value;
+        },
+        configurable: true
+      });
+    } catch {
+    }
+  }
+  /**
+   * Patch a prototype's constructor property.
+   *
+   * Returns a proxy that allows reading properties (like .name) but blocks
+   * calling the constructor as a function (which would allow code execution).
+   */
+  patchPrototypeConstructor(prototype, path, violationType) {
+    const self = this;
+    const auditMode = this.config.auditMode;
+    try {
+      const originalDescriptor = Object.getOwnPropertyDescriptor(
+        prototype,
+        "constructor"
+      );
+      this.originalDescriptors.push({
+        target: prototype,
+        prop: "constructor",
+        descriptor: originalDescriptor
+      });
+      const originalValue = originalDescriptor?.value;
+      const constructorProxy = originalValue && typeof originalValue === "function" ? new this.originalProxy(originalValue, {
+        apply(_target, _thisArg, _args) {
+          const message = `${path} invocation is blocked in worker context`;
+          const violation = self.recordViolation(
+            violationType,
+            path,
+            message
+          );
+          if (!auditMode) {
+            throw new WorkerSecurityViolationError(message, violation);
+          }
+          return void 0;
+        },
+        construct(_target, _args, _newTarget) {
+          const message = `${path} construction is blocked in worker context`;
+          const violation = self.recordViolation(
+            violationType,
+            path,
+            message
+          );
+          if (!auditMode) {
+            throw new WorkerSecurityViolationError(message, violation);
+          }
+          return {};
+        },
+        // Allow all property access (like .name, .prototype, etc.)
+        get(target, prop, receiver) {
+          return Reflect.get(target, prop, receiver);
+        },
+        getPrototypeOf(target) {
+          return Reflect.getPrototypeOf(target);
+        },
+        has(target, prop) {
+          return Reflect.has(target, prop);
+        },
+        ownKeys(target) {
+          return Reflect.ownKeys(target);
+        },
+        getOwnPropertyDescriptor(target, prop) {
+          return Reflect.getOwnPropertyDescriptor(target, prop);
+        }
+      }) : originalValue;
+      Object.defineProperty(prototype, "constructor", {
+        get() {
+          return constructorProxy;
+        },
+        set(value) {
+          const message = `${path} modification is blocked in worker context`;
+          const violation = self.recordViolation(violationType, path, message);
+          if (!auditMode) {
+            throw new WorkerSecurityViolationError(message, violation);
+          }
+          Object.defineProperty(this, "constructor", {
+            value,
+            writable: true,
+            configurable: true
+          });
+        },
+        configurable: true
+      });
+    } catch {
+    }
+  }
+  /**
+   * Protect process.mainModule from being accessed or set.
+   *
+   * The attack vector is:
+   * ```
+   * process.mainModule.require('child_process').execSync('whoami')
+   * process.mainModule.constructor._load('vm')
+   * ```
+   *
+   * process.mainModule may be undefined in ESM contexts but could exist in
+   * CommonJS workers. We block both reading and setting.
+   */
+  protectProcessMainModule() {
+    if (typeof process === "undefined") return;
+    const self = this;
+    const auditMode = this.config.auditMode;
+    try {
+      const originalDescriptor = Object.getOwnPropertyDescriptor(
+        process,
+        "mainModule"
+      );
+      this.originalDescriptors.push({
+        target: process,
+        prop: "mainModule",
+        descriptor: originalDescriptor
+      });
+      const currentValue = originalDescriptor?.value;
+      if (currentValue !== void 0) {
+        Object.defineProperty(process, "mainModule", {
+          get() {
+            const message = "process.mainModule access is blocked in worker context";
+            const violation = self.recordViolation(
+              "process_main_module",
+              "process.mainModule",
+              message
+            );
+            if (!auditMode) {
+              throw new WorkerSecurityViolationError(message, violation);
+            }
+            return currentValue;
+          },
+          set(value) {
+            const message = "process.mainModule modification is blocked in worker context";
+            const violation = self.recordViolation(
+              "process_main_module",
+              "process.mainModule",
+              message
+            );
+            if (!auditMode) {
+              throw new WorkerSecurityViolationError(message, violation);
+            }
+            Object.defineProperty(process, "mainModule", {
+              value,
+              writable: true,
+              configurable: true
+            });
+          },
+          configurable: true
+        });
+      }
+    } catch {
+    }
+  }
+  /**
+   * Protect Module._load from being called.
+   *
+   * The attack vector is:
+   * ```
+   * module.constructor._load('child_process')
+   * require.main.constructor._load('vm')
+   * ```
+   *
+   * We access the Module class and replace _load with a blocking proxy.
+   */
+  protectModuleLoad() {
+    const self = this;
+    const auditMode = this.config.auditMode;
+    try {
+      let ModuleClass = null;
+      if (typeof process !== "undefined") {
+        const mainModule = process.mainModule;
+        if (mainModule && typeof mainModule === "object") {
+          ModuleClass = mainModule.constructor;
+        }
+      }
+      if (!ModuleClass && typeof __require !== "undefined" && typeof __require.main !== "undefined") {
+        ModuleClass = __require.main.constructor;
+      }
+      if (!ModuleClass || typeof ModuleClass._load !== "function") {
+        return;
+      }
+      const original = ModuleClass._load;
+      const descriptor = Object.getOwnPropertyDescriptor(ModuleClass, "_load");
+      this.originalDescriptors.push({
+        target: ModuleClass,
+        prop: "_load",
+        descriptor
+      });
+      const path = "Module._load";
+      const proxy = new this.originalProxy(original, {
+        apply(_target, _thisArg, _args) {
+          const message = `${path} is blocked in worker context`;
+          const violation = self.recordViolation("module_load", path, message);
+          if (!auditMode) {
+            throw new WorkerSecurityViolationError(message, violation);
+          }
+          return Reflect.apply(_target, _thisArg, _args);
+        }
+      });
+      Object.defineProperty(ModuleClass, "_load", {
+        value: proxy,
+        writable: true,
+        configurable: true
+      });
+    } catch {
+    }
+  }
+  /**
+   * Apply a single patch to a blocked global.
+   */
+  applyPatch(blocked) {
+    const { target, prop, violationType, strategy } = blocked;
+    try {
+      const original = target[prop];
+      if (original === void 0) {
+        return;
+      }
+      const descriptor = Object.getOwnPropertyDescriptor(target, prop);
+      this.originalDescriptors.push({ target, prop, descriptor });
+      if (strategy === "freeze") {
+        if (typeof original === "object" && original !== null) {
+          Object.freeze(original);
+        }
+      } else {
+        const path = this.getPathForTarget(target, prop);
+        const proxy = typeof original === "function" ? this.createBlockingProxy(
+          original,
+          path,
+          violationType
+        ) : this.createBlockingObjectProxy(
+          original,
+          path,
+          violationType
+        );
+        Object.defineProperty(target, prop, {
+          value: proxy,
+          writable: true,
+          configurable: true
+        });
+      }
+    } catch {
+    }
+  }
+  /**
+   * Restore all original values.
+   */
+  restorePatches() {
+    for (let i = this.originalDescriptors.length - 1; i >= 0; i--) {
+      const { target, prop, descriptor } = this.originalDescriptors[i];
+      try {
+        if (descriptor) {
+          Object.defineProperty(target, prop, descriptor);
+        } else {
+          delete target[prop];
+        }
+      } catch {
+      }
+    }
+    this.originalDescriptors = [];
+  }
+};
+
 // src/commands/python3/protocol.ts
 var OpCode = {
   NOOP: 0,
@@ -831,6 +1697,7 @@ class _JbHttpResponse:
     def __init__(self, data):
         self.status_code = data.get('status', 0)
         self.reason = data.get('statusText', '')
+        # @banned-pattern-ignore: Python code, not JavaScript
         self.headers = data.get('headers', {})
         self.text = data.get('body', '')
         self.url = data.get('url', '')
@@ -1339,18 +2206,51 @@ except SystemExit as e:
     return { success: true };
   }
 }
+var defense = null;
+async function initializeWithDefense() {
+  await getPyodide();
+  defense = new WorkerDefenseInDepth({
+    excludeViolationTypes: [
+      "proxy",
+      "setImmediate",
+      // 3. SharedArrayBuffer/Atomics: Used by sync-fs-backend.ts for synchronous
+      //    filesystem communication between Pyodide's WASM thread and the main thread.
+      //    Without this, Pyodide cannot perform synchronous file I/O operations.
+      "shared_array_buffer",
+      "atomics"
+    ],
+    onViolation: (v) => {
+      parentPort?.postMessage({ type: "security-violation", violation: v });
+    }
+  });
+}
 if (parentPort) {
   if (workerData) {
-    runPython(workerData).then((result) => {
+    initializeWithDefense().then(() => runPython(workerData)).then((result) => {
+      result.defenseStats = defense?.getStats();
       parentPort?.postMessage(result);
+    }).catch((e) => {
+      parentPort?.postMessage({
+        success: false,
+        error: e.message,
+        defenseStats: defense?.getStats()
+      });
     });
   }
   parentPort.on("message", async (input) => {
     try {
+      if (!defense) {
+        await initializeWithDefense();
+      }
       const result = await runPython(input);
+      result.defenseStats = defense?.getStats();
       parentPort?.postMessage(result);
     } catch (e) {
-      parentPort?.postMessage({ success: false, error: e.message });
+      parentPort?.postMessage({
+        success: false,
+        error: e.message,
+        defenseStats: defense?.getStats()
+      });
     }
   });
 }